Switch Support Overview

For all switch models/NMEs, Cisco recommends checking for limitations and verifying support for MAC notification and/or linkup-linkdown SNMP traps for the switch OS version you intend to use. See Known Issues with Switches/WLCs for further details.

Administrators update switch and Wireless LAN Controller (WLC) support object IDs (OIDs) using the update function in the CAM
Device Management > Clean Access > Updates
web console page. For example, if a new model of a supported switch family is released, Cisco NAC Appliance administrators only need to retrieve an update to ensure the latest support for switch OIDs. (That is, you are not required to upgrade the CAM/CAS software image, itself). The update switch OID feature only applies to existing models. If a new switch series is introduced, administrators will still need to upgrade to ensure OOB support for the new switches. Refer to the “Switch Management” (OOB) chapter of the Cisco NAC Appliance - Clean Access Manager Configuration Guide
for details.

For L2 deployments, user MAC/IP addresses need to be visible to the CAS

For L3 deployments (i.e. where the CAS can be one or more hops away from the user), the CAS differentiates users by IP address

For Out-of-Band (OOB) Deployments

With Cisco NAC Appliance Out-of-Band deployment, the CAS is inline with user traffic only during the process of authentication, assessment and remediation. Following that, user traffic does not pass through the CAS. In an OOB deployment, the Clean Access Manager (CAM) uses SNMP to control switches and set VLAN assignments for ports. When the CAM/CAS are set up for OOB, the CAM can control the switch ports of supported switches/NMEs with the corresponding minimum IOS/CatOS versions listed in the collection of switch family support tables in Cisco NAC Appliance Switch Support Matrixes.

Cisco NAC Appliance Switch Support Matrixes

The following tables include all Cisco switch models supported with Cisco NAC Appliance for both In-Band and Out-of-Band deployments:

Note Starting from NAC Appliance Release 4.9(0), switches having OID starting with “1.3.6.1.4.1.9” are added to CAM DB as Cisco supported switches. The Cisco switches that have OID starting with “1.3.6.1.4.1.9.xxx” are supported by CAM starting from release 4.9(0).

4.Cisco NAC Appliance 4.1(3) and later supports MAC-move notifications from switches. See MAC-Move Notification Support for details.

5.Cisco IOS 12.1(14)EA1 or above is required for 2950/2950 LRE switches. 2950s running 12.1(11)-12.1(13) may experience caveat CSCea56777 which prevents the VLAN from being changed on the switch itself.

7.IE 3000/3010 switch series are running the same baseline IOS as Catalyst 2960. To add or configure this switch on the CAM, choose Cisco Catalyst 2960 series from the drop-down in the CAM Switch Management > Profiles > Switch > New > Switch Model web console page.

14.CCA OOB supports 3750 StackWise technology. With stacks, when mac-notification is used and there are more than 252 ports on the stack, mac-notification cannot be set/unset for the 252nd port using the CAM. There are two workarounds: 1) Use linkup/linkdown SNMP notifications only. 2) If using mac-notification, do not use the 252nd port and ignore the error; other ports will work fine.

15.If CAM is using SNMP V3 for write, a 4500 switch might get disabled after 10 consecutive write failures. All 4500 switches having default SNMP EngineId configuration might bootup with same EngineId due to IOS caveat: CSCsz43512.

16.Catalyst 4000/4500 code support is dependent on the Supervisor, not the chassis. On Catalyst 4000/4500, Supervisor I/II only support CatOS.

17.On Catalyst 4000/4500, Supervisor II+/III/IV/V only support IOS. For IOS code, MAC notification is supported only from 12.2(31) SG onwards. Supervisor III does not support 12.2(31)SG (hence, does not support mac-notification) and must run 12.2(25)EWA release train. Supervisor II+/IV/V support 12.2(31)SG. If using linkup notification for OOB, code prior to 12.2(31) SG can also be used.

22.Catalyst 6000/6500 on IOS supports mac-notification from 12.2(33)SXH onwards. If Catalyst 6000/6500 is at the edge and a user is connecting directly to the switch, SNMP linkup notification can be used with an earlier minimum release (i.e. IOS 12.1(8a)EX). If the user is connecting from behind an IP phone, then mac-notification is required.

23.7600 series router line and 6500 series switch line are interchangeable.

25.With IOS release 12.2.25(SEG) for CE500, MAC-NOTIFICATION SNMP traps are supported on all Smartport roles (including DESKTOP and IPPHONE roles). After upgrading to 12.2.25(SEG), customers can configure MAC-NOTIFICATION for CE500 under Switch Management > Devices > List > Config [Switch IP] > Config > Advanced on the CAM. For CCA 3.6.2, 3.6.3, 4.0.0, 4.0.1, 4.0.2, CE500 supports linkup/linkdown SNMP notifications by default and the “OTHER role” warning message can be ignored when changing to MAC-NOTIFICATION traps. Note that in future Cisco NAC Appliance releases, this warning message will removed and the default control method for CE500 will be MAC-NOTIFICATION traps.

26.If running an IOS version lower than 12.2(25) SEG, the CE500 switch ports must be assigned to the OTHER role (not Desktop or IP phone) on the switch's Smartports configuration, otherwise, mac-notification will not be sent out.

Note If CAM is using SNMP V3 for write, wireless clients might not move into Access VLAN even when the NAC agent on the client passed posture validation after WLC reboot. Refer to WLC caveat CSCtb78072.

Known Issues with Switches/WLCs

This section describes known issues when integrating Cisco NAC Appliance with the following switch models/wireless LAN controllers and deployment types:

For Cisco NAC Appliance in In-Band Central Deployment mode, when a Cisco Catalyst 3560/3750 series switch is used as a Layer 3 switch and if both ports of the CAS are connected to the same 3560/3750 switch, the minimum switch IOS code required is Cisco IOS release 12.2(25)SEE.

Because caveat CSCdu27506 is not fixed on the Catalyst 3550 series switch, when the Catalyst 3550 is used as a Layer 3 switch, it cannot be used in NAC Appliance In-Band Central Deployment.

Note When configuring SNMP settings on switches, never use the “@” character in the community string.

Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs) and DHCP

Due to changes in DHCP server operation with Cisco NAC Appliance release 4.0(2) and later, networks with Cisco 2200/4400 Wireless LAN Controllers (also known as Airespace WLCs) which relay requests to the CAS (operating as a DHCP server) may have issues. Client machines may be unable to obtain DHCP addresses.

If you have DHCP issues with Airespace controllers after installing/upgrading to release 4.0(2), the following will need to be done to restore DHCP functionality:

Preventing Loops on Central Switch for VGW/Central Deployments

In Virtual Gateway Central deployment, both interfaces of the CAS are connected to the same switch. Administrators must use the following procedure for correct configuration of a Virtual Gateway Central Deployment. To prevent looping on any central/core switch as you plug both interfaces of the CAS into the switch, perform the following steps:

1. Before you connect both interfaces of the CAS to the switch, SSH to the CLI of the CAS and disable the eth1 (untrusted interface) using the CLI command:

ifconfig eth1 down

2. Physically connect the eth0 and eth1 interfaces of the CAS to the network.

3. After you have added the CAS to the CAM web console, make sure to set the VLAN to be mapped under
Device Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping
. Also make sure you check the “
Enable VLAN Mapping
” checkbox and click
Update
.

4. For the 802.1q ports configuration on the switch, make sure to prune all other VLANs for switches trunking to eth0 and eth1 of the CAS except those used for the CAS Management VLAN and the User VLANs.

OOB Switch Trunk Ports and Upgrade

Because Cisco NAC Appliance can control switch trunk ports for OOB, ensure that the uplink ports for controlled switches are configured as “uncontrolled” ports before or after upgrade. This can be done in one of two ways:

Switch OID Support

Administrators can update the object IDs (OIDs) of supported switches by performing a CAM update (under
Device Management > Clean Access > Updates
). For example, if a new switch (such as C3750-XX-NEW) of a supported model (Catalyst 3750 series) is released, administrators only need to perform Cisco Updates on the CAM to obtain support for the switch OIDs, instead of performing a software upgrade of the CAM/CAS. The update switch OID feature only applies to existing models. If a new switch series is introduced, administrators will still need to upgrade to ensure OOB support for the new switches.

Starting from Release 4.5, administrators can also update the object IDs (OIDs) of Wireless LAN Controller platforms supported for the Wireless OOB feature by performing a CAM update.

Before opening a support case for Switch OID support

1. On the CAM go to
Device Management > Clean Access > Updates
. Make sure to perform an Update and verify the current version of the “Supported Out-of-Band Switch OIDs.”

2. If the switch still cannot be managed from the CAM, get the OID from the switch by running the following command from the CAM:

NAC Appliance Device Support

Cisco NAC Appliance Release 4.9 has Universal Switch Support that makes it possible for Cisco NAC Appliance to support any Cisco Switch as long as it supports the MIBs that are used by NAC. The Universal Device Support is limited only to Cisco Switches and non-Cisco Switches are not supported.

Starting from Cisco NAC Appliance Release 4.9, you can view the list of supported devices and check whether a device supports the MIBs that are used by NAC.

In the CAM Web Console, go to
OOB Management > Profiles > Device > New
. You can click the link available at the top of this tab to view the list of supported device models.

You can verify whether a device is supported by using the
Verify
tab. This utility verifies a device already added to CAM or a new device that is yet to be added to CAM. This option is available in the CAM Web Console in
OOB Management > Devices > Devices > Verify
tab.

Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB)

Table 20 describes Cisco Catalyst switch model support for the Virtual Gateway VLAN Mapping feature of the CAS for either in-band (IB) or out-of-band deployments (OOB). This table is intended to clarify CAS network deployment options when connecting the CAS in Virtual Gateway (bridge) mode to the switches listed.